CyberWire Daily - Are you running what you think you're running? [Research Saturday]
Episode Date: July 11, 2020Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly. As software security has been significantly hardened over th...e past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques. Joining us on this week's Research Saturday is Maggie Jauregui, security researcher at Dell, to discuss this issue. The research can be found here: Three firmware blind spots impacting security Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
There are dozens of configurations that are set
that are time sensitive
and that if they're not done correctly,
the underlying security assumptions
that we operate on may be broken.
That's Maggie Haurigy. She's a security researcher at Intel.
The research we're discussing today is titled Three Firmware Blind Spots Impacting Security.
It's interesting to think of a computer not just as one system, but as multiple small embedded systems combined into one.
And each one of them having their own code that needs to be updated, that we need to make sure is authentic, is recent, hasn't been tampered with.
And so if I'm talking to someone non-technical at all, I would describe it maybe as a lot of things happen between the moment when you push the reset button on your platform and when you actually see something on the screen.
Can you give us a little bit of the history here, of the backstory as the systems have become more complex, as computers are doing more and more things.
Does that mean that we have more areas within the systems that are running their own firmware?
It may be.
We usually have one type of memory and one type of network card.
They usually don't go up exponentially.
We just have different
combinations. And those combinations can be interesting because the awareness of what I'm
running exactly is not always there. And that was the whole point of this article of what are the
blind spots? Do we even know what we're running? When you find a vulnerability in one of these
components, knowing exactly which systems are affected, it can affect dozens of systems out there and making sure that each one of them has applied updates and are doing all the right things all at the right time, that all of these different components are working together and doing the right things is tricky.
are working together and doing the right things is tricky.
Well, let's explore that. I mean, when you're looking into firmware, when you're trying to find those blind spots, can you take us through that process? How does it work?
So we've identified three main ones. Firstly, it's important to just even know that firmware is a potential attack vector.
Gartner named it one of the top three attack vectors for platforms and firmware security.
So being aware that it's potentially a problem. And one of the things that one of my mentors,
Joseph Fitzpatrick, he's a renowned hardware security researcher, mentions is to make sure to always
know your CIA, your confidentiality, integrity, and availability. What specific security objectives
do we have for our firmware? Do I care about the confidentiality of certain things? For example,
your BIOS password. And if someone had access to my flash content, they may be able to see it,
and that may be an authentication bypass,
and that would be problematic. So I probably care about confidentiality for my UEFI password.
Availability. Making sure that my firmware hasn't been corrupted so that we don't have a potential
permanent denial of service that can be cumbersome and costly is important. We want to make sure their systems are available to be used. And integrity goes a little bit with the availability,
making sure that I'm running what I think I'm running, that what I'm running is authentic,
and that what I'm running is recent. Now, how do you go about verifying that? As a researcher, if you're going in and examining firmware in a system, can you walk us through the steps that you take to ensure that what you're seeing is what's supposed to be there?
So there are many things that we can do. do justice, right? That make sure that they perform measurements and verification on the
firmware that we're running to make sure that it's authentic and that we're running what we're
thinking we're running. But there's also tools to check the configuration of a platform because
that can be complex. It can be defined differently for different generations of platforms. And there's
a lot of different configurations to check. So running
scanners like Chipsack that give visibility into all these configurations are recommended. And
Chipsack, for example, is an open source project that's supported by Intel as well as the security
community. And it's one of the good things about Chipset is that it's incremental. So as we find more things and more things are reported to Intel or proactively found,
we add them to the scanner so that we can raise the bar across the industry
and everybody, customers and users and OEMs are able to check
for the correct configuration of their specific system.
to check for the correct configuration of their specific system.
What sort of advice do you have for organizations that want to start down this path?
Perhaps they haven't really paid much attention to the firmware side of things.
It's sort of out of sight, out of mind.
How do they get going?
Where do they begin?
The single most simple and powerful step towards improving platform security are regular updates.
So we've really come a long way as a security industry in companies having their in-house research teams and having security conferences almost every day researchers around the world to fix, proactively fix things that are found,
coordinated disclosure and embargo security advisories.
If we don't install those, if we don't take advantage of what's there,
we increase the window of opportunity for potential attackers that may not even need to be all that sophisticated that just saw an update and noticed that now there's a window of opportunity to do some malicious thing here.
Are there any common misperceptions that people have when it comes to firmware?
Any common things that you see where people's understanding isn't really what it should be?
I think more than the understanding, it's either awareness or there are
real reasons why companies and organizations struggle with prompt firmware updates, for
example. The downtime can be costly. There can be fear of breaking a platform and having that be
potentially catastrophic with industrial control systems or critical infrastructure. So it's a complex field and there are real reasons why we're not moving in a more swift way.
say is awareness, and then taking steps and precautions so that we don't fall into these fears and potential real problems that can arise with updates, for example.
Where do you suppose we're headed? What does the future look like
when it comes to how we're going to deal with firmware, how we're going to protect it?
I believe we're going to continue to evolve and continue to get more sophisticated.
I believe we're going to continue to evolve and continue to get more sophisticated. As higher levels of the stack have been hardened, the attention has focused more and more on hardware and firmware level security.
So the natural order of things is we're just going to get more sophisticated. We're going to get better at it. We're already a lot better than we used to be. Well, the kind of things that keep me up at night are quotes.
I heard a quote that really resonated with me that said,
old days are scarier than old days.
For firmware, I think this is particularly true,
especially with the timelines that it takes for us to be able to get updates
and for people to choose whether or not they want to install them.
So one of my big fears is having a want-to-cry type scenario
in firmware or hardware that is potentially catastrophic,
where we have fixes for the issues, but it hasn't been patched.
So hopefully we get better at figuring out ways to patch
in ways that are less dangerous.
What about trying to discover what you don't know, to know what you don't know? I guess I'm
thinking of, is it practical to audit your firmware? I'm imagining that person who has a
system that's running fine. They're thinking about that old adage of, you know, if it ain't broke, don't fix it. But I suppose you can't function that way these days. You have to go in there and, well,
I guess it's a best practice to make sure that the firmware is what it's supposed to be.
Yes. And that is the main issue. And the main blind spot is visibility. I always like to tie
it back to a house example. If you come back to your house one
day and the doors open or there's a broken window, you clearly know that potentially something
happened and you can go look and find something missing. But if someone has potentially installed
a backdoor in your system, they could be just persisting and doing nothing for a long period
of time. Or they could be having a keylogger
installed that sends all of your keystrokes somewhere. There's not a red flag. The detection
of my system is in a correct configuration in which I expect it to be, but also, did something
happen? The visibility for us to detect both of those scenarios, I think, are where we can tackle the lack of visibility, right?
Installing and using tools.
Do you find that people tend to be a little intimidated when it comes to firmware?
I believe so.
I believe people think it's some dark, obscure art.
And that's not necessarily the case, right?
It's software
at the end of the day. In your mind, what are the take-homes? When you sort of send someone
off with your words of wisdom when it comes to firmware, what sort of things do you share?
We need to make sure that we have a plan in place to know what we're protecting against and what
we're not. Do we care about evil maids, physical presence?
Is that in scope, out of scope?
What is our CIA?
What are security objectives to protect our firmware security?
Make sure that we're installing firmware updates on a regular cadence,
that we have a strategy for that,
and that we're also checking the configuration of our platforms
to make sure they're in a state
where we expect them to be.
Our thanks to Maggie Haurigy for joining us. The research is titled Three Firmware Blind Spots
Impacting Security. We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.